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King, Valerie A. 

From: King, Valerie A. 

Sent: Wednesday, January 21, 2004 10:12 PM 

To: Mulligan, Valerie J. 

Cc: Mawyer, Denise T.; Roethig, Hans 

Subject: RE: PM USA Compliance with Data Privacy Laws 

DSS: No 

Tracking: Recipient Read 

Mulligan, Valerie J. Read: 1/22/2004 6:05 AM 
Mawyer, Denise T. 

Roethig, Hans 
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Valerie: 

Attached please find the response on behalf of Clinical Evaluation. A couple of points and questions: 

For the vendors included in Exhibit B we have not filled in columns J, K, and L in detail. This will require 
additional time and input on the part of the vendors. Prior to asking the vendors to provide us the level of detail 
requested, we need to 1) understand whether it will be necessary for all of the listed types of information (or if 
there are specific pieces for which the detail is more important), and 2) what the specific rationale is for the 
request (e g., HtPAA compliance). For the three vendors listed, the information is all being collected in the 
context of clinical study conduct; this may have some bearing on what we are ultimately trying to comply with. 
Please let us know. 

Also, what will be the process for updating this information? There are some items that may be within the scope 
of this request that are not yet in place or actively collecting/storing these types of information. Will we be 
prompted for updates, or, is it our responsibility to provide updates as necessary? 

Please call me if you'd like to discuss. 

Thanks, 

Valerie 


-Original Message-— 

From: Mulligan, Valerie J. 

Sent: Wednesday, January 21, 2004 11:19 AM 

To: Bugg, Joy J.; Nixon, Gerry M.; Carchman, Loreen; Fox, Kathleen H (WSA); Livermore, Andrew; King, 
Valerie A.; Elves, Robert G.; Hayes-Eckles, Arnita 
Cc: Murphy, Larry B. 

Subject: FW: PM USA Compliance with Data Privacy Laws 

Importance: High 

Hi All, 

Please review below, answers to questions that some folks in WSA raised regarding the scope of Craig 
Saxton's request. Hopefully this will help you in determining what information is appropriate for this 
request. 

As a reminder I need this information from you by EOB today in order to fulfill Larry Murphy's request for 
this information. 

Thank you in advance for your help. 

1/22/2004 
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Source: https://www.industrydocuments.ucsf.edu/docs/yrpx0001 
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QS & Compliance Leader - WSA 
Philip Morris USA, OC - T3W 
Tel: (804) 274-3670 
valerie.i .mulHQan@pmusa.co m 


-Original Message- 

From: Saxon, Craig P. 

Sent: Wednesday, January 21, 2004 10:51 AM 
To: Mulligan, Valerie J. 

Subject: RE: PM USA Compliance with Data Privacy Laws 
Answers to your questions. 

Could you provide me with some specific and relevant examples of exactly what you are looking for in 
regards to his request/ WSA has an internally developed organization chart and collections of Information, 
such as social security numbers and phone numbers of employees for their own purposes. Would this kind 
of information fall in scope of your request? 

Typically information that you're using in the course of business would not fall in scope. I would like to point 
out that if this information is being stored on a shared drive or or other type of shared device 
(EDMS) where it could be accessed through our network then this should be identified. If the information 
is in your office or your PC then it should not be identified. Some examples of information we would 
identify are the Smokers Database, Tesseract, Sharp, PI2000 Database, etc. 

Personal Information- 

Is the basic HR -type information that anyone with direct reports might have in scope for this? No 

We have contact information for a number of vendors, scientists, etc., which may include name, mailing 
address, e-mail, phone, fax, etc., on business cards, in contact lists on the computer, etc. These are used 
in the course of business and have not been systematically accumulated by PI, but have just added up as 
people need to get in touch with each other. Are these in scope? As long as this is not on shared devices 
or in filing cabinets accessible to just anyone, then no, you would not identify this. 

Non-Personal Information- 

We have contracts with several vendors to gather public scientific information (e.g. for a particular chemical 
or material) and write a summary report on that information for us. Is that in scope? Yes, They are 
gathering information on our behalf and we have an obligation to identify this. 

We have scientific information directly from vendors about their products. There are over 1000 vendors 
mentioned in our database at this point. Does this mean 1000+ sheets of entries into this spreadsheet? If 
so, we may need an extension on the deadline. Identifying the Database and the types of information 
stored would be sufficient. I assume these vendors are not collecting information on our behalf, if this were 
the case then we would identify the vendor and the types of info they are collecting. 

Give me a call if you have questions. 


1/22/2004 
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-Original Message- 

From: Mul!igan r Valerie J. 

Sent: Thursday, January 15, 2004 8:24 AM 
To: Saxon, Craig P. 

Cc: Bugg, Joy J.; Nixon, Gerry M. 

Subject: FW: PM USA Compliance with Data Privacy Laws 

Mr. Saxon, 

I have received several calls from WSA employees regarding your request for information 
around PM USA Compliance with Data Privacy Laws. I attempted to contact you several times 
yesterday in order to get a better understanding/detail of what you are asking for. Could you provide 
me with some specific and relevant examples of exactly what you are looking for in regards to his 
request/ WSA has an internally developed organization chart and collections of Information, such 
as social security numbers and phone numbers of employees for their own purposes. Would this 
kind of information fall in scope of your request? 

Also, please review the email below for additional examples of information that WSA 
collects. Would this fall in scope of your request? We would appreciate any guidance you could 
provide us in determining the scope of this request. 

Thank you for your help with this. 

*Val&ue 

QS & Compliance Leader - WSA 
Philip Moms USA, OC - T3W 
Tel: (804) 274-3670 
vale rie i mulliq an@ pmusa.com 


-Original Message- 

From: Nixon, Gerry M. 

Sent: Wednesday, January 14, 2004 4:41 PM 
To: Mulligan, Valerie J. 

Subject: RE: PM USA Compliance with Data Privacy Laws 
Hi, Valerie- 

As we discussed, I have a number of questions about the scope of this request: 

Personal Information- 

Is the basic HR -type information that anyone with direct reports might have in scope for this? 

We have contact information for a number of vendors, scientists, etc., which may include name, 
mailing address, e-mail, phone, fax, etc., on business cards, in contact lists on the computer, etc. 
These are used in the course of business and have not been systematically accumulated by PI, but 
have just added up as people need to get in touch with each other. Are these in scope? 


1/22/2004 
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Non-Personal Information- 

We have contracts with several vendors to gather public scientific information (e g for a particular 
chemical or material) and write a summary report on that information for us. Is that in scope? 

We have scientific information directly from vendors about their products. There are over 1000 
vendors mentioned in our database at this point. Does this mean 1000+ sheets of entries into this 
spreadsheet? If so, we may need an extension on the deadline. 

Thanks in advance for your help with these questions. 

Gerry 


—Original Message. 

From: Mulligan, Valerie J. 

Sent: Wednesday, January 14, 2004 12:21 PM 

To: Solaria, Rick P.; Bugg, Joy J.; Podraza, Ken F.; Nixon, Gerry M.; Carchman, Loreen; Fox, 
Kathleen H (WSA); Kobal, Gerd; Livermore, Andrew; Roethig, Hans; Kinser, Robin D.; King, 
Valerie A.; Walk, Roger A.; Elves, Robert G.; Zhang, Mingda (R&D); Patskan, George J. 

Cc: Murphy, Larry B- 

Subject: FW: PM USA Compliance with Data Privacy Laws 

Importance: High 

Hello, 

Please review the request below. Based on activities of your department some of your work 
or the work that the vendors do for you may fall in scope of this request. I need your help in 
identifying such activities. Please read the memo from Craig Saxon as it describes the 
details of the request (the excel spreadsheets are to be used to enter data as described in 
Craig's request). 

In order that I can compile the information by the date that Larry has requested, please 
provide the information to me by January 20, 2004. 


QS & Compliance Leader - WSA 
Philip Morris USA, OC - T3W 
Tel; (804) 274-3670 
vale rie.i.fnuHtoari@ pmu sa.com 


-Original Message- 

From: Murphy, Larry B, 

Sent: Friday, January 09, 2004 5:04 PM 

To: Mulligan, Valerie J.; Mullins, Robert; Holleman, Robin P; Newman, Ken A.; Stephens, 
Nancy L; Arthur, Rose C.; Drumwright, Debbie; Mait, Barbara S.; Smith, Eric L. 

Subject: FW: PM USA Compliance with Data Privacy Laws 

1/22/2004 
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Importance: High 
Greetings, 

Please read the request below and let me know of any group or entity within your department 
that may be in scope of this request. If they are in scope, please complete and return to me 
completed exhibits that are attached. I would like to have your responses by Wednesday 
January 21st. 

Ken, I need your help identifying the individual(s) within PD&T who can help with this activity. 

Thanks 

Larry 

4-6341 


-Original Message- 

From: Saxon, Craig P. 

Sent: Friday, January 09, 2004 4:44 PM 
To: Murphy, Larry B. 

Subject: PM USA Compliance with Data Privacy Laws 
Importance: High 


InterOfllce Memorandum 

Philip Morris USA Richmond, Virginia 

To: Distribution Date: January 

9, 2004 

From: Craig Saxon, TS Compliance 

Re: PM USA Compliance with Data Privacy Laws 



IS Compliance is assisting the PM USA Law department to bring PM USA into compliance 
with various federal and state data privacy laws, including California’s Anti-Hacker law (Cal. 
Civ. Code § 1798.82 et seq.). The first step in this process is to identify all physical and 
electronic records, both internal and external, that contain personal information collected by 
or on behalf of PM USA. Therefore, we need your assistance to identify the location of 
records containing persona! information, the specific types of information contained in those 
records, and the types of security surrounding those records. 

Personal information within the scope of this request pertains to PM USA employees, 
customers, retailers, suppliers, and any other third party about which PM USA may collect 
personal information. Personal information can be divided into two categories: (1) 
Personally Identifiable Information and (2) Sensitive Information. 


Person all y Identifiable Information . Personally Identifiable Information means any 
information that identifies or allows direct communication with an individual. Examples of 

1/22/2004 
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Personally Identifiable In formation include: 

• Last name (with or without first name or first initial) 

• Mailing address 

• E-mail address 

• Social Security number 

• State driver’s license number 

• State identification card number 

• Military identification 

• Account number, credit or debit card number in combination with any required 
security code, access code, or password that would permit access to an individual’s 
financial account 

• Telephone or fax number 


Sensitive Information. Sensitive Information is information that is personal and sensitive in 
nature but which, by itself, does not identify or allow direct communication with an 
individual. Examples of Sensitive Information include: 

• Age (if under 13, there are heightened privacy rules under the Children’s Online 
Privacy Protection Act) 

• Gender 

• Race or ethnicity 

• Religion 

• Sexuality 

• Associations or memberships 

• Health and medical information 

• Occupation 

• Education 

• Driving record 

• Income 

• Hobbies and interests 

» Purchase and order history 

• Web site visits 

1/22/2004 
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• Financial information (e.g., financial statements, account information, transaction 
information, tax records, etc.) 

Please use the attached document (Exhibit A) to identify sources of Personal Information that 
your department is responsible for collecting and/or maintaining through the use ofPMUSA 
systems. There are multiple tabs on the spreadsheet - please use one for each source/system. 

Please use the attached document (Exhibit B) to identify sources of Personal Information that 
your department is responsible for collecting and/or maintaining through the use of outside 
vendors or hosting companies. There are multiple tabs on the spreadsheet - please use one 
for each outside vendor or hosting company. 

Tn addition, please use the attached document (Exhibit C) to identify any other sources of 
Non-Persona l Information _that your department is responsible for collecting and/or 
maintaining specifically through the use of outside vendors or hosting companies. There are 
multiple tabs on the spreadsheet — please use one for each outside vendor or hosting 
company. 


Please return your response via e-mail to Craig Saxon no later than cob Friday, January 23, 
2004. We realize that not all departments are responsible for this kind of information, but we 
would like your response as well. If you have any questions about this request, please call 
Craig at 804.864.6795. 


1/22/2004 
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